Release Date

: 2009/10/29

Author

: Bogdan Calin (bogdan [at] acunetix [dot] com)

Severity

: Critical

Vendor Status

: Vendor has released an updated version

I. Background

From Wikipedia: CubeCart is a free-to-use eCommerce software solution, designed to allow individuals and businesses sell tangible and digital goods on line. CubeCart is not Open Source software, although full source code is available at no cost, and the custom licensing model allows for customisation of the code.
…
CubeCart has developed a large fanbase, due in part, to the relative ease of creating modifications and enhancements. In the September/October 2007 issue of Practical eCommerce magazine, CubeCart was placed at #1 in their list of ‘100 Most Notable Shopping Carts’.

II. Description

While auditing the source code of CubeCart version v4.3.4, I’ve found a critical vulnerability in this application. Session managament for administrative users is flawed. It is easy to bypass it without providing any credentials. An attacker can later perform any actions the administrator can, such as dumping the database, install modules (PHP code execution) and so on.

CubeCart is using a MySQL table named CubeCart_admin_users for storing information about administrative users.

When an administrator logs in, the applications stores his session ID, browser (user agent) and IP address in the sessId, browser and sessIP fields.

When the adminstrator logs out, these values are cleared. So sessId and the others fields become empty (as in an empty string).

This line will bypass all those complex checks. So, you just need to send an X_CLUSTER_CLIENT_IP header with an empty value. This line of code (the one with X_CLUSTER_CLIENT_IP) looks like a hack to me.It was probably added later to fix some bug or add a new feature.

III. Proof of concept

The conclusion is that by entering empty sessId (ccAdmin cookie), user-agent and X_CLUSTER_CLIENT_IP header you can bypass the authentication and perform any actions an adminstrator can perform.

Here is a sample HTTP request that will dump the whole database in one request:

I find this behaviour completely unprofessional: a vendor should inform his customers when a serious vulnerability is fixed in their product, especially when the product is processing credit card data, like CubeCart does.

Charlie, this problem is very real. I don’t know why you cannot reproduce it.
This problem was initially reported to them (CubeCart) and after it was fixed (in 4.3.5), it was published on this blog. So, they reproduced and fixed the problem.